Uncategorized —

Computer security – On the hush hush

eBay is down for several hours and they have no explanation for the outage. Technical problems? Rogue hacker? While outages are headaches for customers, they can be devastating to the company in lost revenue and reputation. It may be relatively easy to stomach problems caused by a router crash or a hard drive failure...but when an outage is caused by a hacker attack or security breach, the company is suddenly caught with their pants down and security strategies are called into question. In turn, many corporations have decided not to report security breaches and attacks for fear of bad publicity.

A study conducted by the F.B.I. and the Computer Security Institute polled 503 computer security practitioners from corporations, government agencies, universities, financial and medical institutions. Ninety percent of the respondents reported security breaches within the past year. Yet, only 30 percent reported the breaches to law enforcement officials. (Note: I believe they deem computer viruses as a "security breach") The Director of the Computer Security Institute remarked on the report:

"... technology alone cannot thwart cyber attacks and that there is a need for greater cooperation between the private sector and the government. It has also challenged some of the profession's 'conventional wisdom,' for example that the 'threat from inside the organization is far greater than the threat from outside the organization' and that 'most hack attacks are perpetrated by juveniles on joy-rides in cyberspace.' Over the seven-year life span of the survey, a sense of the 'facts on the ground' has emerged. There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace..."

Reading over the numbers on the study it is surprising to see how many of these respondents were attacked. Forty percent detected denial of service attacks, and 70 percent reported vandalism. Less than half of the respondents quantified the financial losses associated with their security breaches. For those who reported their losses, the majority of their losses were through theft of proprietary information and financial fraud which accounted for less than twenty percent of the security breaches.

Many of the study's respondents said they would report security breaches to law enforcement officials more often if they were guaranteed information would not be released though the Freedom of Information Act. Even with that guarantee, I wonder how willing the companies would be to inform their shareholders about security breaches. Until this happens, you may just have to read between the lines when a company does not disclose the reasons for computer downtime.